1. Technical Field
The present invention relates generally to data processing systems and in particular to data analysis and interpretation on a data processing system. Still more particularly, the present invention relates to a method, system, and program product for dynamically expanding policy documents for data processing systems and networks utilizing dynamic data analysis and interpretation.
2. Description of the Related Art
The utilization of computer networks by companies and corporations has become the norm for internal communication and sharing of information and assets. Many business today have an internal network that connects the employee terminals to a central server (or server banks). These internal networks are often further connected to an external network, such as the Internet. In certain situations the business network comprises external customer systems as in online retail businesses, etc.
Networks require maintenance, and most networks are maintained by a system administrator, who is responsible for upkeep of the network and security of the network. Security is becoming increasingly important as many businesses maintain valuable company assets on their network. In addition, business offering customer services over their networks are increasingly concerned about the security of the online transactions and services provided. As the need for security increases and more and more companies utilize their networks to carry out day to day business and transmit secure information, the burden of system administration has greatly increased.
In addition to the security concerns, network administrators are responsible for providing basic operating rules that govern the way the network resources are utilized. These operating rules are required to provide stability and consistency in the network, which is being utilized by a large number of different user for different purposes and in different ways.
Current methods by which a network administrator is able to ensure that a network is utilized properly, while maintaining network security, include utilization of a policy document. The policy document is a series of statements, rules or constraints, on network resources that should be respected by the users of the system. The document is important because the document helps to define assets within a network and the proper use of these assets. The policy documents also define what assets to protect, and how and when those assets are to be protected. Ideally, the document is written in a language that very closely resembles human readable language, which can be translated into a form usable by the computer.
The initial policy document is created by system administration, who spends a significant amount of time deciding on the various rules to apply to the particular network. The policy document defines the proper use of the network based on a set of known events occurring on the network, which the system administrator incorporated into the rule base of the security document. All other events occurring in the network are un-tracked and represent unknown network events from the perspective of the policy document. Since each network is different, the rules provided for one network may be very different for another network. The policy document is network specific because the document is closely tied to the needs of the business, or entity, that is utilizing the network. For example, an event which is unknown in one network may be required to be included within the rule base of a policy document (i.e., a known event) in another network. Thus, each network requires the creation of an initial policy document, often completely. Notably also, the policy document does not change in response to changes in the network. Rather, the document only changes in response to an individual's idea of how the network services should be utilized and the resources allocated.
Irrespective of these shortcomings, many networks utilize policy documents because the policy documents are crucial for managing business processes and resources. The policy documents serve as a baseline for performance and quality assessment, as well as a means for communicating those criteria to others. In the context of network security, policy documents define what constitutes appropriate utilization of network resources, when those resources should be utilized, and by whom.
While prominent security organizations like SANS insist that a formal information security policy document is fundamental to the security of any network, few organizations have one. The lack of formal security policy documents is primarily because creating a formal security policy document is a daunting and time intensive task and offers no immediate benefit. A typical network has a very large number of operating features that has to be described; yet once these features are captured within the security policy document, the monitoring, tasks of the network administrator is still not made easier. Most notably, changes in the way a network operates or is utilized (i.e., changes in the rules desired within a policy document currently in place) is not easily accomplished, particularly when those changes involve events, which were previously not tracked within the rule base of the policy document.
Typically, when a network is running (particularly as the size and use of the network increases), a significantly large number of unknown events are occurring that were not considered important during the creation of the initial policy document. Over time, these events may eventually be considered relevant for tracking within the policy document. However, although these unknown events are seen by the monitoring component of the policy document, these events are not considered to be of interest and not specifically identified by the policy document. Also, with such a large database of events, the task of reading through this database to select significant events (previously unknown) and/or updating the policy document to cover selected ones of the unknown events is daunting.
Thus, despite the introduction of the policy document, there is presently no mechanism available to enable the System Administrators (SAs) to easily generate or update a policy document from captured “unknown” data during network operation that includes these unknown events. There is no available method or system that enables/assists a system administrator to dynamically develop and expand a policy document over time and to introduce additional or new policies that deal with events which were not instituted within the rule base of a previous version of the policy document.